The legal system has ticked along and now they have to stand up for their charges, which are spiraling as more and more cases are linked to them.

Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.

According to the court document, the hackers allegedly stole more than 130 million credit and debit card numbers (.pdf) from Heartland and Hannaford combined. Prosecutors say they believe these breaches constitute the largest data-breach and identity-theft case ever prosecuted in the United States. They’re investigating other breaches and have not ruled out Gonzalez’s involvement in even more intrusions.

“We’re not seeing a huge array of hackers capable of doing this, but rather a more select group, [and that] demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann of the Justice Department’s New Jersey district office.

As with most things, 80% of the damage is done by 20% of the people. I’d say in this case it’s more like 98% of the damage is done by 2% of the hackers only a few of which ever get caught.

I think these guys just got too greedy and went after too many targets, but then their credit card theft ring is called “Operation Get Rich or Die Tryin”. They aren’t likely to die, but they are likely to go down for a long time.

But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases. With regard to the Heartland-Hannaford cases, Gonzalez and the two unnamed Russian hackers have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud.

They each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater.

Attorneys for Gonzalez were not available for comment.

According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks, and receive the stolen numbers.

If you tally up all the counts that could be one hell of a sentence, especially with the 30 years for the wire-fraud tacked on. I guess if they ever manage to get out of prison, they might get to enjoy the millions they have stolen.

That is assuming they’ve laundered it and stashed it safely somewhere outside the jurisdiction of a US federal investigation.

Either way it’s an interesting case and I’m sure there will be more news about it.

PCI compliance is there for a reason. The problem is with PCI scanners that don’t take in to count backport patching. I would like to hear news of how many of the little guys getting taken for everything without even knowing.

Down to basics, companies need to start hiring real admins. Pay the fuck up or get hacked the fuck out. It’s bullshit that a Linux sysadmin is pulling 30k while an air-conditioner repairman is getting 70-90k.